Configure the IOS end of the tunnel
The variables collected above are italicized here. When you need to do some variable substitution in the IOS configuration, pop back into your amazon shell window and echo the variable out. Like this:

Start openswan on the EC2 instance
The following commands prepare the ipsec service boot scripts, and then manually start the service:

chkconfig ipsec on
service ipsec start

That's it! Now I can ping the private ($EC2PRIVATE) address of the EC2 instance from one of my internal machines at home. This works in my environment because the 10.x.x.x address assigned by Amazon happens to fall within the default route in use by my home gateway. You may need to add a static route if you're pushing the 10/8 block elsewhere in your environment.

Being able to talk securely to the private address is preferable to using the public one because of applications (SIP, FTP) that embed IP address information into their application payload. These don't NAT well, and now they don't have to.

If you want to be able to talk securely to the public address of an EC2 instance, that can probably be done with a dummy interface on the EC2 end. I'll work on that later.